Data Center

The Cybersecurity Risks That Server Closets Still Pose

Small, “non-tiered” data facilities need to be modernized to protect agency data and operations.

Marty Spain is CDW•G's Director of Federal Services & Solutions, and leads a team of energetic problem solvers and creative thinkers to support some of the most complex national security systems.

The humble server closet has had a long and winding history in the federal government’s long-running data center closure program.

In a 2016 memo, the Office of Management and Budget stated that smaller data center facilities posed a cybersecurity risk, and identified them as “data centers” that needed to be included in consolidation efforts under the Data Center Optimization Initiative.

In particular, OMB called out server rooms and closets as security risks that should be targeted for closure, as a recent Government Accountability Office report notes.

However, while OMB’s 2019 DCOI guidance “noted the need to address security at these locations and encouraged agencies to continue working to consolidate and optimize them, there is no requirement for agencies to continue to track and report on their progress in closing these smaller facilities.”

Yet in July 2019, GAO found that such server closets posed a material security risk. Specifically, GAO reported that “because these systems can be highly complex and dynamic, technologically diverse, and often geographically dispersed, these factors increase the difficulty of protecting their security.”

Each server closet “represents a potential access point to an agency’s interconnection with other internal and external systems and networks,” GAO notes, and can be a threat vector.

As agencies think through how to handle such server closets as pieces of their overall IT environments, they need to enhance the physical security of such facilities. They also can and should use the opportunity to modernize the power and cooling setups in them. And they should modernize and upgrade the servers sitting inside those closest to address IT security risks.

Agencies Can Be Exposed to Vulnerabilities from Server Closets

The typical server closet at an agency facility is literally a broom closet or storage closet that has been converted into a server room with no proper cooling or ventilation. Officials often pop off ceiling tiles to allow the heat from equipment to escape the room.

Physical security is an issue, as there often is no advanced security solution on the door controlling access to the room. There are often no cameras or motion sensors monitoring the closet, and unauthorized personnel can sometimes easily access the room if it is left unlocked. Unauthorized users could tamper with or steal equipment. Such closets can also be dirty, and that can lead to buildups of dust and static charges.

From an IT perspective, these facilities are often not counted on the list of IT assets that agencies closely track. The hardware is often outdated and unpatched. The data on them is often not properly backed up. And the offices that support such server closets typically do not have adequate IT staff to inspect and manage the equipment.

How Agencies Can Truly Optimize Small Data Centers

Optimizing and consolidating server closets “generally incurs large costs for agencies, with little or no benefit from efficiencies gained,” OMB states in its June 2019 guidance. “This often introduces additional hurdles in the form of increased latency and other performance detriments that unfavorably affect agency mission delivery.”

Agencies often have a reason to keep such facilities up and running, such as limited bandwidth on their networks or the fact that the office is in a location where weather can impact network performance. Or, there may be a specialized piece of hardware that only locally based officials have knowledge of.

In the past, IT officials may have not included such closets in their official count of data centers because they did not want to have to shut them down. Now, OMB has given agencies permission to keep them running. That shift in messaging should give IT leaders an opening to modernize such facilities.

IT leaders should start by treating such closets like actual data centers and training staff to treat them as such as well. They should upgrade physical security to ensure that they can only be accessed by approved personnel and that the equipment inside is closely monitored via cameras or motion sensors.

Now that these closets can be treated not as problems to hide but as facilities to be managed, IT leaders should push to allocate budgeting for upgrades to the server equipment inside them. Taking that step will lead to newer equipment with more advanced security. It will also ensure agencies can continue to meet their mission needs. IT leaders should also ensure that such facilities have proper power and cooling solutions in place.

None of this is that expensive, but it is also not free. However, these investments are worthwhile as they will ensure the long-term survivability of agencies’ IT capabilities.

The updated DCOI guidance means that server closets are no longer tracked the way large data centers are. However, that does not erase them from existence and does not address their vulnerabilities.

IT leaders and their staff need to know that they can come out of the dark and get funding to make sure these facilities are both secure and functional. If they want to modernize such facilities they can, but they need to speak up and start doing the work of modernization.

This article is part of FedTech’s CapITal blog series. Please join the discussion on Twitter by using the #FedIT hashtag.